b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                                Desktop and Laptop\n                          Software License Management\n                        Is Not Being Adequately Performed\n\n\n\n                                           June 25, 2013\n\n                              Reference Number: 2013-20-025\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.treasury.gov/tigta\n\x0c                                         HIGHLIGHTS\n\n\nDESKTOP AND LAPTOP SOFTWARE                         was unable to provide us with essential licensing\nLICENSE MANAGEMENT IS NOT BEING                     records for properly managing licenses on 24 of\nADEQUATELY PERFORMED                                27 software products reviewed during this audit.\n                                                    TIGTA also found that the IRS does not have\n                                                    specialized software license tools designed to\nHighlights                                          be the repository for software and software\n                                                    license deployment. These tools should be\nFinal Report issued on June 25, 2013                used to discover, track, manage, and detect\n                                                    inactive usage of software licenses. Finally, the\nHighlights of Reference Number: 2013-20-025         IRS does not have an accurate inventory of\nto the Internal Revenue Service Chief               software and related licenses that contains\nTechnology Officer.                                 licensing models applicable to each software\n                                                    product which links data on the licenses\nIMPACT ON TAXPAYERS                                 purchased and deployed with the purchase\nComputer software is typically protected by         costs, procurement information, and monitoring\nFederal copyright law, which requires users of      and usage data.\nsoftware programs to have a license authorizing\n                                                    WHAT TIGTA RECOMMENDED\nsuch use. Software licenses are legal rights to\nuse software in accordance with terms and           TIGTA recommended that the Chief Technology\nconditions specified by the software copyright      Officer develop policies and guidance and roles\nowner. Software license management at the           and responsibilities for managing software\nIRS is not being adequately performed. Efficient    assets and licenses; implement a specialized\nand cost-effective management of the IRS\xe2\x80\x99s          software license management tool and develop\nsoftware assets is crucial to ensuring that         detailed standard operating procedures for using\ninformation technology services continue to         the tool; develop an inventory of software\nsupport the IRS\xe2\x80\x99s business operations and help      licensing data and maintain the inventory with a\nit to provide services to taxpayers efficiently.    specialized software license tool; and maintain\n                                                    data in the inventory that the IRS can use to\nWHY TIGTA DID THE AUDIT                             more effectively manage software spending.\nThis audit was initiated to determine whether the   In their response to the report, IRS officials\nIRS is adequately managing software licenses.       agreed with all six recommendations with slight\nFederal requirements and recommended                modifications on four of them. The IRS plans to\nindustry best practices govern the use and          use best practices to develop enterprisewide\nmanagement of software licenses. The                software license management policies,\nobjective of software license management is to      procedures, roles, and responsibilities; identify\nmanage, control, and protect an organization\xe2\x80\x99s      and implement a standard enterprise toolkit with\nsoftware assets, including management of the        standard operating procedures for the\nrisks arising from the use of those software        management of software licenses; and collect\nassets. The proper management of software           software inventory data from the toolkit in a\nlicenses helps to minimize risks by ensuring that   central data repository.\nlicenses are used in compliance with licensing\nagreements and cost-effectively deployed, and\nthat software purchasing and maintenance\nexpenses are properly controlled.\nWHAT TIGTA FOUND\nThe IRS is not adequately performing software\nlicense management and is not adhering to\nFederal requirements and recommended\nindustry best practices. The IRS does not have\nenterprisewide or local policies, procedures, and\nrequirements for software license management.\nThe User and Network Services organization\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            June 25, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Desktop and Laptop Software License\n                             Management Is Not Being Adequately Performed (Audit # 201220018)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS)\n management of desktop and laptop software licenses. We performed this review to determine\n whether the IRS is minimizing risks by ensuring that software product licenses are used in\n compliance with licensing agreements and cost-effectively deployed, and that software\n purchasing and maintenance expenses are properly controlled. This review is included in the\n Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal Year 2013 Annual Audit Plan and\n addresses the major management challenge of Achieving Program Efficiencies and Cost Savings.\n In its response, the IRS indicated that the audit examined the IRS\xe2\x80\x99s desktop and laptop\n environment, which the IRS considers a part of its overarching approach for enterprise software\n governance. Thus, its corrective actions addressing recommendations include desktop and\n laptop software licensing as a subset of the enterprise. TIGTA disagrees with this statement.\n During the audit period, the IRS did not have an overarching approach for enterprise software\n governance or the assimilation of Information Technology Infrastructure Library (ITIL) Maturity\n Level 3 processes regarding centralizing the responsibility for software license management.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services).\n\x0c                                Desktop and Laptop Software License Management\n                                       Is Not Being Adequately Performed\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          Software License Management Policies and Procedures\n          Have Not Been Established .......................................................................... Page 3\n                    Recommendations 1 and 2: .............................................. Page 5\n\n          Processes for Using Software License Tools Do Not\n          Adhere to Federal Requirements and Best Practices .................................... Page 5\n                    Recommendation 3:........................................................ Page 7\n\n                    Recommendation 4:........................................................ Page 8\n\n          Processes for Software License Inventories Do Not\n          Adhere to Federal Requirements and Best Practices .................................... Page 8\n                    Recommendation 5:........................................................ Page 9\n\n                    Recommendation 6:........................................................ Page 10\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 11\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 14\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 15\n          Appendix IV \xe2\x80\x93 Glossary of Terms ................................................................ Page 16\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 19\n\x0c        Desktop and Laptop Software License Management\n               Is Not Being Adequately Performed\n\n\n\n\n                 Abbreviations\n\nCTO        Chief Technology Officer\nIRM        Internal Revenue Manual\nIRS        Internal Revenue Service\nIT         Information Technology\nITIL\xc2\xae      Information Technology Infrastructure Library\nSAM        Software Asset Management\nUNS        User and Network Services\n\x0c                              Desktop and Laptop Software License Management\n                                     Is Not Being Adequately Performed\n\n\n\n\n                                               Background\n\nComputer software is typically protected by Federal copyright law, which requires users of\nsoftware programs to have a license authorizing such use. Software licenses are legal rights to\nuse software in accordance with terms and conditions specified by the software copyright owner.\nRights to use software are separate from the legal rights to the software itself, which are\nnormally kept by the software manufacturer or other third party. Licenses may be bought and\nare normally required whenever externally acquired software is used, which will typically be\nwhen the software is installed on a computer (or when executed on a computer even if installed\nelsewhere such as on a server).\nSoftware licenses are one of the main issues addressed by software asset management. Software\nasset management is a process for tracking and reporting the use and ownership of software\nassets. Forrester Research Inc.1 defines software asset management as:\n           The systematic automation of processes to reconcile software licenses and statements of\n           entitlement, maintenance contracts, and original media with installed software and those\n           processes for discovering deployed software assets; to reconcile the assets to their\n           licenses, maintenance contracts, and definitions of entitlement; and to report on\n           compliance and discrepancies in such a way as to minimize the risk of legal action by\n           software vendors as well as loss of service to users or of reputation in the wider world.\nThe objective of software license management is to manage, control, and protect an\norganization\xe2\x80\x99s software assets, including management of the risks arising from the use of those\nsoftware assets. Proper management of software licenses helps to minimize risks by ensuring\nthat licenses are used in compliance with licensing agreements and cost-effectively deployed,\nand that software purchasing and maintenance expenses are properly controlled.\nSoftware license management can be difficult because:\n      \xef\x82\xb7    A large amount of information on software and hardware must be discovered and stored.\n      \xef\x82\xb7    The data need to be kept current on more than an annual basis.\n      \xef\x82\xb7    The ability to identify installed software and software license usage may be impacted by\n           the complexities with which software is installed and licenses are used.\n      \xef\x82\xb7    Licensing models and definitions may significantly differ depending on the software\n           product and vendor.\n\n\n1\n    See Appendix IV for a glossary of terms.\n                                                                                              Page 1\n\x0c                       Desktop and Laptop Software License Management\n                              Is Not Being Adequately Performed\n\n\n\nThe Internal Revenue Service (IRS) reported that in Fiscal Year 2011 it spent $235 million on\ncomputer software products. Efficient and cost-effective management of the IRS\xe2\x80\x99s software\nassets is crucial to ensuring that information technology services continue to support the IRS\xe2\x80\x99s\nbusiness operations and help it to provide services to taxpayers efficiently.\nFederal requirements established by Executive Orders, the Federal Chief Information Officer\nCouncil, the National Institute of Standards and Technology, and the Department of the Treasury\nas well as recommended industry best practices govern the use and management of software\nlicenses. These sources provide guidance to ensure that software licenses are 1) efficiently\npurchased and are not being unused or underused, 2) used in compliance with copyright laws,\nand 3) inventoried through the use of adequate recordkeeping systems that control and track the\nuse of licenses.\nThis review was performed at the User and Network Services (UNS) organization\xe2\x80\x99s Software\nAsset Management (SAM) office in Fresno, California, during the period June through\nDecember 2012. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                            Page 2\n\x0c                              Desktop and Laptop Software License Management\n                                     Is Not Being Adequately Performed\n\n\n\n\n                                    Results of Review\n\nSoftware License Management Policies and Procedures Have Not\nBeen Established\nExecutive Order 13103, Computer Software Piracy, requires and Information Technology\nInfrastructure Library\xe2\x80\x99s (ITIL\xc2\xae) best practices recommend the development of software license\nmanagement policies and procedures and roles and responsibilities. The ITIL and industry best\npractices recommend a centralized, enterprisewide management structure for software asset\nmanagement. These best practices indicate that some of the most significant benefits of software\nasset management, both cost and risk management benefits, come from managing software on an\nenterprisewide basis. An enterprisewide management structure can actively manage software\nassets to know the location, configuration, and usage history of every product. In addition, an\nenterprisewide management structure supported by an enterprisewide inventory and automated\nsoftware license management tools can better provide procurement staff with the detailed and\naccurate information needed to negotiate flexible, cost-effective contracts and form the basis for\ncost-reduction projects such as platform stabilization, volume bundling, securing longer term\nagreements, and vendor or hardware consolidation. In September 2010, the IRS\xe2\x80\x99s Chief\nTechnology Officer (CTO) outlined a goal to have the Information Technology (IT) organization\nimplement the ITIL best practices over the next several years. The IRS reported that the IT\norganization had achieved ITIL Maturity Level 3 in October 2012.\nThe IRS does not have enterprisewide policies, procedures, and requirements for software\nlicense management. The IRS does not have a centralized, enterprisewide organizational\nstructure for managing software licenses, and decentralized units within the IT organization that\nmanage software licenses also do not have local software licensing policies and procedures. The\nUNS organization within the IT organization, which includes the desktop environment, is\nresponsible for managing one of the largest software license inventories in the IRS, and it does\nnot have policies and procedures for managing software licenses.\nThe IRS has defined software asset and license management roles and responsibilities only for\nthe Chief Information Officer/CTO in Internal Revenue Manual (IRM) 10.8.2, IT Security Roles\nand Responsibilities.2 IRM 2.14.1, Asset Management, Information Technology (IT) Asset\nManagement,3 does not provide any additional roles and responsibilities for software asset and\nlicense management. The IRS also does not have software asset and license management roles\n\n\n2\n    Dated April 29, 2011.\n3\n    Dated November 8, 2011.\n                                                                                           Page 3\n\x0c                            Desktop and Laptop Software License Management\n                                   Is Not Being Adequately Performed\n\n\n\nand responsibilities for the organizational entities that conduct software asset and license\nmanagement.\nThe UNS organization was unable to provide us with essential licensing records for properly\nmanaging the licenses on 24 of 27 judgmentally selected4 software products we reviewed during\nthis audit. The UNS organization could not provide licensing agreements for 23 products,\ndocumentation for the number of licenses purchased for 15 software products, and license\ndeployment documentation for seven software products.\nOur review of documentation provided determined that the UNS organization is not adequately\nmanaging software licenses. Specifically, of the 27 software products reviewed, we found:\n    \xef\x82\xb7    Twenty-one software products did not have an unlimited software license. For 13 of the\n         21, there were records on either licenses purchased or deployed. We reviewed these\n         records and determined that for three of the 13, the IRS deployed more licenses than it\n         had purchased, and for eight of the 13, the IRS had not used licenses in a cost-effective\n         manner because it deployed significantly fewer licenses than it had purchased.\n    \xef\x82\xb7    For eight of the 21 software products that did not have an unlimited software license, we\n         could not determine whether licenses were over- or under-deployed because the IRS\n         could not provide us with records showing either the number of licenses purchased or\n         deployed.\n    \xef\x82\xb7    For five software products with unlimited software licenses, there were records on the\n         number of licenses deployed. For one of the five, the IRS had potentially overspent on\n         unlimited software licenses by not needing to deploy a significant number of licenses.\n    \xef\x82\xb7    Six of 27 software products had more than one license deployment record. For all six,\n         the IRS had conflicting figures on the number of licenses deployed and had not\n         performed reconciliations to research and identify the differences.\nThe IRS does not have enterprisewide or local software license management policies and\nprocedures, an enterprisewide license management structure, or roles and responsibilities for the\norganizational entities that conduct software license management because the IRM section\ncovering a software management program is under development. IRM 2.14.1 states (in\nSection 13.17) that software management is under development and that procedures are in the\nprocess of being defined.\nUntil the IRS implements an effective program to manage software licenses, the IRS is incurring\nincreased risks in managing software licenses. These risks include: 1) not complying with\n\n4\n  A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\nWe originally selected a judgmental sample of 30 software products but deleted three because we subsequently\nlearned that one product was freeware, another product was internally developed, and another product was not\nrenewed for use in Fiscal Year 2012. See Appendix I for the sampling methodology.\n                                                                                                              Page 4\n\x0c                              Desktop and Laptop Software License Management\n                                     Is Not Being Adequately Performed\n\n\n\nlicensing agreements that could result in embarrassment, legal problems, and financial liability;\n2) not using licenses in the most cost-effective manner; and 3) not effectively using licensing\ndata to reduce software purchase and software maintenance costs.\n\nRecommendations\nTo help ensure that the IRS has software license management policies and procedures and\ncomplete roles and responsibilities that adhere to Federal requirements and recommended\nindustry best practices, the CTO should:\nRecommendation 1: Develop policies and guidance in the IRM for managing software assets\nand licenses using ITIL best practices.\n          Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n          utilize best practices such as the ITIL to develop policies and guidance for managing\n          software and licensing from an enterprise perspective in support of and aligned to\n          IRM 2.14.1. The IRS will ensure that policies and guidance are aligned to and include\n          the protocols, functions, and decisionmaking outcomes across Associate Chief\n          Information Officer and other enterprise units by implementing an Enterprise Software\n          Governance Board.\nRecommendation 2: Develop UNS organization roles and responsibilities in the IRM for\nsoftware asset and license management.\n          Management\xe2\x80\x99s Response: The IRS agreed with this recommendation with a slight\n          modification. The IRS will develop enterprisewide roles and responsibilities in the IRM\n          for software asset and license management that includes the UNS organization. This\n          slight modification to the recommendation will avoid inconsistent processes that may\n          yield different results and information.\n\nProcesses for Using Software License Tools Do Not Adhere to\nFederal Requirements and Best Practices\nThe National Institute of Standards and Technology Special Publication 800-53, Recommended\nSecurity Controls for Federal Information Systems and Organizations,5 and Treasury Directive\nPublication 85-01, Treasury IT Security Program,6 require and ITIL and industry best practices\nrecommend implementing enterprisewide software asset discovery, network scanning, license\nmanagement, and license metering tools. Software asset discovery tools are used to identify\ninstalled software and collect relevant details about each installed software product. Network\nscanning tools are used to detect and remove any unauthorized or unlicensed installed software.\n\n5\n    Dated August 2009.\n6\n    Dated November 3, 2006.\n                                                                                            Page 5\n\x0c                        Desktop and Laptop Software License Management\n                               Is Not Being Adequately Performed\n\n\n\nSoftware license management tools help to ensure compliance with licensing agreements by\ntracking license usage, linking upgrades to original licenses, linking licenses bought to licenses\nused, and managing the stock of unused licenses. Metering tools help to ensure that licenses are\nused cost effectively by detecting installed software that is not being used so that the licenses can\nbe redeployed to other users to avoid paying for additional licenses when they are not needed.\nEven though the IRS does not have written policies and procedures on software license\nmanagement, through interviews we obtained information on the approach or processes used by\nthe IRS to manage software licenses and compared them to Federal requirements and\nrecommended best practices. Software licenses in the IRS are tracked and managed by\ndecentralized groups that use manual and non-manual techniques, queries, spreadsheets, record\nsystems, scanning tools not specifically designed for software license management to gather\nrough software data, utilities unique to the software product being tracked, and manual\ncalculations to maintain their own software licensing records.\nDue to the lack of an IRS enterprisewide structure for managing software licenses, we focused\nour testing on the SAM group within the UNS organization. The SAM group is responsible for\nmanaging the IRS\xe2\x80\x99s Common Operating Environment and above-baseline desktop and laptop\nsoftware solutions. The SAM group, which is responsible for managing one of the largest\nsoftware license inventories in the IRS, performs limited software licensing management. The\nSAM group does not have specialized software license tools designed to discover, track, manage,\ndetect inactive usage and be the repository for software and software license deployment. The\nSAM group manually tracks the number of licenses deployed against the number bought. When\nan employee needs a license, the SAM group verifies that unused licenses are available before\nissuing the requested license. If no licenses are available, it will request the purchase of\nadditional licenses. When a computer is turned in, the SAM group will recover licenses and\nplace the erased computer and recovered licenses into inventory. When an employee needs a\nnew computer, the SAM group reimages the computer from inventory and redeploys licenses\nonto the reimaged computer. The SAM group is unable to scan computers to discover the\nlicenses actually deployed and to identify the use of unauthorized software. In addition, the\nSAM group does not monitor software usage to determine whether licenses deployed are not\nbeing used and could be recycled to be made available to other employees. Three additional\ngroups we reviewed that manage software licenses also do not use software tools to manage\nlicense compliance and deployment.\nThe SAM group has an ongoing project for developing a comprehensive software licensing\nmanagement process that will include a specialized software license management tool. It plans\nto initially use the tool to manage licenses for the Common Operating Environment and\nabove-baseline desktop and laptop software products that it is currently responsible for\nmanaging. The SAM group plans for the tool to be a centralized inventory system for software\ninventory and software license management. It plans to 1) use the tool to track, manage, and be\nthe repository for software and software license deployment and usage, 2) use the tool\xe2\x80\x99s network\n\n                                                                                              Page 6\n\x0c                        Desktop and Laptop Software License Management\n                               Is Not Being Adequately Performed\n\n\n\nscanning capabilities to perform software and licensing discovery, and 3) reconcile the scanned\nresults of installed software and deployed licenses with contracted licenses. The tool is currently\nin the testing environment and will then move into the system testing phase. The SAM group\nexpects it to be ready for full implementation by September 2013.\nIn addition, the SAM group is developing draft standard operating procedures to be used for\nmanaging the Common Operating Environment and above-baseline desktop and laptop software\nlicenses when the tool is implemented. The procedures will outline how the group plans to use\nthe tool to scan computers for collecting data on installed software and match that data against\nauthorized software, licenses, and user or computer entitlements. The matches are designed to\nidentify licensing conditions that pose a risk to software license compliance and to the\ncost-effective use of licenses, such as 1) installed software that the IRS is not licensed to have,\n2) installations of licensed software that were not authorized to have been installed, and\n3) installed software that is not being used and for which the licenses could be redeployed to\nother users. The SAM group also stated that roles and responsibilities will be developed for the\nproject using the ITIL best practices. However, the plans that are being developed by the SAM\ngroup are only for the Common Operating Environment and above-baseline desktop and laptop\nsoftware licenses, not an enterprisewide organizational structure for managing all of the IRS\xe2\x80\x99s\nsoftware and licenses. In the future, the SAM group indicated that the IRS will consider the\npossibility of extending the new application\xe2\x80\x99s software license management capability to\nadditional software products used on servers, network devices, and other computers for use by\nthe staff that manage licenses in the Enterprise Operations, Enterprise Networks, and\nApplications Development organizations.\nThe IRS\xe2\x80\x99s IT management has not identified and implemented automated software license tools\nfor the enterprisewide management of software licenses, and the IRM section covering the\nsoftware management program is under development. As previously stated, the IRS was unable\nto provide us with the essential licensing records for properly managing the licenses for 24 of the\n27 software products we reviewed during this audit. Until the IRS implements enterprisewide\nsoftware license management tools and processes to conduct software license management, the\nIRS is incurring increased risks in managing software licenses.\n\nRecommendations\nTo help ensure that the UNS organization has processes for using software license tools that\nadhere to Federal requirements and recommended best practices, the CTO should:\nRecommendation 3:\xc2\xa0\xc2\xa0Develop detailed standard operating procedures for using software\nlicensing tools to manage software licenses.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. As part of\n       the IRS\xe2\x80\x99s enterprise approach, it will develop standard operating procedures for using\n\n\n                                                                                             Page 7\n\x0c                          Desktop and Laptop Software License Management\n                                 Is Not Being Adequately Performed\n\n\n\n        existing and/or other toolsets as appropriate to manage software licensing for the\n        enterprise.\nRecommendation 4: Implement a specialized software license tool designed to discover,\ntrack, and manage software license deployment and usage.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation with a slight\n        modification. Based on experience, there is no single tool that can discover, track, and\n        manage software license deployment and usage. As such, the IRS will identify and\n        implement a standard enterprise toolkit, which may include multiple tools, to accomplish\n        the recommendation.\n\nProcesses for Software License Inventories Do Not Adhere to Federal\nRequirements and Best Practices\nExecutive Orders,7 the Department of the Treasury Directive 85-02, Software Piracy Policy,8 and\nIRM 10.8.2 require and ITIL and industry best practices recommend creating and maintaining\naccurate enterprisewide inventories of installed software and licenses. These inventories should\ncontain licensing models applicable to each software product and link the data on licenses bought\nand deployed, including costs. This will help ensure that software purchased is not unused or\nunderutilized and that software is used in compliance with copyright laws.\nInterviews with the SAM group and the review of documents provided determined that the IRS\ndoes not have an accurate inventory of its software and related licenses. Additionally, the\ninventory records do not contain licensing models applicable to each software product that links\ndata on the licenses purchased and deployed with the purchase costs, procurement information,\nand monitoring and usage data. The only location where we could identify an IRS list of the\nsoftware it owns was within the IRS\xe2\x80\x99s Application Registration Database. The Application\nRegistration Database is not an authoritative database for software inventory, and licensing\ninformation within the database cannot be confirmed as complete and accurate. The Application\nRegistration Database is a control mechanism to ensure that required testing (integration,\ncompatibility, and security testing) for all new desktop and laptop software products is\nperformed before the software is placed into the production environment. Although it contains\nlicensing data, the data are entered at the beginning of the request and testing process and may\nnot be updated when procurement and licensing information changes.\nThe IRS does not have an enterprisewide inventory of software and software licensing data as a\nresult of not having automated software licensing tools needed to compile such an inventory and\nbecause the IRM section covering a software management program is under development. As\n\n7\n  Executive Order 13103 (Sept. 30, 1998), Computer Software Piracy and Executive Order 13589, Promoting\nEfficient Spending (Nov. 09, 2011).\n8\n  Dated May 4, 2010.\n                                                                                                      Page 8\n\x0c                        Desktop and Laptop Software License Management\n                               Is Not Being Adequately Performed\n\n\n\npreviously stated, our review of software license documentation identified several instances of\nsoftware licenses not being adequately managed. For example, for eight of 21 products reviewed\nthat did not have unlimited licenses, we could not determine whether licenses were over- or\nunder-deployed because the IRS could not provide us with records showing either the number of\nlicenses purchased or the number of licenses deployed. Until the IRS develops an enterprisewide\nsoftware licensing inventory, the IRS is incurring increased risks in managing software licenses.\nIn addition, the lack of an enterprisewide inventory with comprehensive data on all software and\nsoftware licensing impedes the ability of the IRS to more thoroughly analyze the relationships\namong its software license agreements and vendors to more cost-effectively buy software\nlicenses and maintenance. In an effort to offset budget constraints, the Strategy and Planning\ndivision within the IT organization established a Vendor and Contract Management office with a\nmandate to create savings by promoting innovative sourcing alternatives that generate the same\nor additional value while minimizing risk. Because the IRS does not have adequate software\nlicensing tools and inventories, the Vendor and Contract Management office has to improvise\nusing various tools and data and search various record systems to manually compile the hardware\nand software data and then perform additional ad hoc calculations to conduct its software\nlicensing analysis. The Vendor and Contract Management office has achieved some software\nlicensing savings during the last two years, but we believe that better software license inventories\nand tools would enable it to identify additional savings opportunities.\n\nRecommendations\nTo help ensure that the UNS organization has processes for software license inventories that\nadhere to Federal requirements and recommended best practices, the CTO should:\nRecommendation 5: Develop an inventory of software licensing data and maintain the\ninventory with a specialized software license tool designed to discover, track, and manage\nsoftware license deployment and usage.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation with a slight\n       modification. The IRS has developed a software inventory and will leverage this as a\n       starting point; however, based on experience, there is no single tool that can discover,\n       track, and manage software license deployment and usage. As such, the IRS will identify\n       and implement a standard enterprise toolkit, which may include multiple tools, to\n       accomplish this recommendation. Data collected via the toolkit will be consolidated and\n       maintained in a central data repository.\n       Office of Audit Comment: The IRS does not have an accurate enterprisewide\n       inventory of installed software and licenses as required by Executive Orders, Department\n       of the Treasury Directive 85-02, and IRM 10.8.2 and as recommended by ITIL and\n       industry best practices. Using current inventory information the IRS does have can be a\n\n\n                                                                                             Page 9\n\x0c                       Desktop and Laptop Software License Management\n                              Is Not Being Adequately Performed\n\n\n\n       starting point for implementing a standard enterprise toolkit that feeds into an enterprise\n       software inventory and central data repository.\nRecommendation 6: Maintain data in the inventory that the IRS can use to more effectively\nreview software licensing agreements, purchases, deployment, usage, and other related aspects of\nlicensing to identify additional savings in software spending.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation with a slight\n       modification. While the IRS is currently maintaining a software inventory, it will\n       enhance this process by leveraging tools. Based on experience, there is no single tool\n       that can discover, track, and manage software license deployment and usage. As such,\n       the IRS will identify and implement a standard enterprise toolkit that will be consolidated\n       and maintained in a central data repository. The IRS progress in this area resulted in\n       reducing the IRS\xe2\x80\x99s commercial off-the-shelf software portfolio from 2,723 applications in\n       November 2012 to a current 548 by standardizing the Windows 7 portfolio. The IRS will\n       leverage early progress towards its enterprise approach.\n       Office of Audit Comment: The IRS does not have an accurate enterprisewide\n       inventory of installed software and licenses as required by Executive Orders, Department\n       of the Treasury Directive 85-02 and IRM 10.8.2 and as recommended by ITIL and\n       industry best practices. Using current inventory information the IRS does have can be a\n       starting point for implementing a standard enterprise toolkit that feeds into an enterprise\n       software inventory and central data repository. Reducing the portfolio does not address\n       our recommendation to maintain data in the inventory that the IRS can use to more\n       effectively review software licensing agreements, purchases, deployment, usage, and\n       other related aspects of licensing to identify additional savings in software spending.\n\n\n\n\n                                                                                           Page 10\n\x0c                       Desktop and Laptop Software License Management\n                              Is Not Being Adequately Performed\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS is adequately managing\nsoftware licenses. To accomplish our objective, we:\nI.     Performed electronic research to identify and review Government criteria and\n       requirements and non-Government best practices for software license management.\n       A. Identified Government criteria and requirements.\n       B. Identified non-Government best practices from recognized organizations.\n       C. Identified Government criteria/requirements and previous IRS software license\n          management findings from Government Accountability Office and Treasury\n          Inspector General for Tax Administration audit reports.\n       D. Reviewed, analyzed, and summarized the criteria and requirements found that were\n          relevant to the IRS\xe2\x80\x99s management of software licenses.\nII.    Determined if the IRS had developed adequate policies and procedures and roles and\n       responsibilities for the management of software licenses.\n       A. Determined if the IRS had an enterprise policy and procedures for software license\n          management that were consistent with the criteria, requirements, and best practices.\n       B. Determined if the IRS had roles and responsibilities for software license management\n          that are consistent with the criteria, requirements, and best practices and that the IRS\n          had assigned roles and responsibilities for all software license management\n          procedures.\n       C. Determined if the IRS\xe2\x80\x99s policies and procedures and roles and responsibilities\n          established a centralized, rather than decentralized, organization and structure for\n          software license management.\nIII.   Determined if the IRS had a centralized licensing inventory and manages/maintains the\n       inventory with software tools designed for license management.\n       A. Determined if the IRS had a centralized inventory of its software assets, including\n          licensing data.\n       B. Determined if the IRS had adequately used software asset discovery tools and usage\n          monitoring tools.\n\n\n                                                                                          Page 11\n\x0c                               Desktop and Laptop Software License Management\n                                      Is Not Being Adequately Performed\n\n\n\n                1. Determined how frequently the IRS performed software asset discovery and usage\n                   scans and generated management reports.\n                2. Determined if the IRS scans were capable of detecting various licensing\n                   conditions.\n                3. Determined if the IRS used software licensing reports from the discovery tool to\n                   reconcile known software assets and licenses against discovery results and to\n                   resolve exceptions or noncompliance with software licenses.\n                4. Determined if the IRS used software license inventory data to better negotiate\n                   software license purchases and maintenance agreements with vendors.\nIV.        Determined if the IRS adequately managed software licenses on a sample of software\n           products.\n           A. To select a judgmental sample1 of software products for review, we began with a\n              population of 975 Common Operating Environment software products as of\n              April 4, 2012. We limited our sample to the Common Operating Environment and\n              above-baseline software because such software is installed on workstations and\n              laptops.\n           B. We deleted from the list products that the IRS had not approved for installation at the\n              present time, Government internally developed software, freeware, older versions of a\n              software product when a newer version was being used, patches, and utilities related\n              to the software products. This reduced the list to 372 software products from which\n              to draw a judgmental sample.\n           C. For the 372 products, we used several IRS sources to obtain data on the estimated\n              number of users or licenses. We determined which was baseline software installed on\n              all workstations or above-baseline software not installed on all workstations. For\n              about 45 products, we also obtained data on the number of licenses bought and the\n              purchase price.\n           D. From the list of 372 products, we judgmentally selected 30 software products to\n              sample as follows.\n                1. Five products with at least 100,000 users or licenses were selected because we\n                   believed large volumes could present license management difficulties.\n                2. Fifteen products having 500 to 99,999 users or licenses were also selected\n                   because we believed large volumes could present license management difficulties.\n\n\n\n1\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                               Page 12\n\x0c                        Desktop and Laptop Software License Management\n                               Is Not Being Adequately Performed\n\n\n\n           3. Only three products having less than 500 licenses or users were selected to\n              provide coverage and because we believed smaller volumes could present fewer\n              license management difficulties.\n           4. The four highest dollar value licensed products were selected because of the\n              potential dollar impact if licenses were not adequately managed.\n           5. Only three Common Operating Environment baseline products were selected\n              because we believed if they are counted on all workstations it could present fewer\n              license management difficulties.\n       E. Performed the following on each of the selected software products.\n           1. Requested the software licensing agreement.\n           2. Reviewed the provided records used by the IRS to manage and track the\n              deployment of software licenses.\n           3. Determined the scope of the IRS\xe2\x80\x99s software licensing management and tracking\n              activities.\n       F. On each of the selected software products, obtained additional documentation and\n          interviewed IRS employees as necessary to substantiate the accuracy of the software\n          licensing data being managed and tracked.\n       G. On each of the selected software products, determined if the IRS is managing and\n          tracking licenses.\n       H. On each of the selected software products, determined how exceptions or\n          noncompliance with software licenses are resolved.\n       I. Determined if the software licensing data that is managed and tracked on each of the\n          selected software products is shared with the Office of Procurement staff to help\n          better negotiate software license purchases and maintenance agreements with\n          vendors.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the IT organization\xe2\x80\x99s policies, procedures,\nand processes for managing and tracking software licenses. We evaluated these controls by\ninterviewing IT organization management, identifying Federal requirements and industry best\npractices for managing and tracking software licenses, and reviewing software license\nmanagement and tracking on a sample of software products.\n\n                                                                                           Page 13\n\x0c                      Desktop and Laptop Software License Management\n                             Is Not Being Adequately Performed\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDanny Verneuille, Director\nJohn Ledford, Audit Manager\nRichard Borst, Lead Auditor\nChanda Stratton, Senior Auditor\nKasey Koontz, Auditor\n\n\n\n\n                                                                                     Page 14\n\x0c                     Desktop and Laptop Software License Management\n                            Is Not Being Adequately Performed\n\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nPrincipal Deputy Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Operations OS:CTO\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nDirector, Operations Service Support OS:CTO:UNS\nDirector, Vendor Contract Management OS:CTO:SP:VCM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 15\n\x0c                          Desktop and Laptop Software License Management\n                                 Is Not Being Adequately Performed\n\n\n\n                                                                                       Appendix IV\n\n                                 Glossary of Terms\n\n           Term                                               Definition\nApplications Development       A part of the IRS IT organization responsible for building, testing,\nOrganization                   delivering, and maintaining integrated information applications systems\n                               to support modernized systems and the production environment.\nBest Practices                 Proven activities or processes that have been successfully used by\n                               multiple organizations.\nChief Information Officer      As the principal interagency forum on Federal information technology,\nCouncil                        the purpose of the Chief Information Officer Council is to foster\n                               collaboration among Federal Government Chief Information Officers in\n                               strengthening Governmentwide information technology management\n                               practices.\nCommon Operating               A standardized, configured computer image on IRS workstation\nEnvironment                    computers integrated with a set of standard software packages to support\n                               the needs of all IRS employees.\nEnterprise Operations          The part of the IRS IT organization that provides server and mainframe\nOrganization                   computing services for all IRS business entities and taxpayers.\nExecutive Orders               Legally binding orders given by the President, acting as the head of the\n                               Executive Branch, to Federal Administrative Agencies. Executive\n                               Orders are generally used to direct Federal agencies and officials in their\n                               execution of congressionally established laws or policies.\nExecutive Order 13103,         Requires Federal agencies to develop software license management\nComputer Software Piracy       policies and procedures. It also requires Federal agencies to prepare\n                               inventories of software present on computers to help ensure that\n                               software is used in compliance with copyright laws.\nExecutive Order 13589,         Requires Federal agencies to take inventory of their information\nPromoting Efficient Spending   technology assets and ensure that they are not paying for unused or\n                               underutilized installed software.\nForrester Research Inc.        A global research and advisory firm that provides research guidance to\n                               the information technology industry.\n\n\n\n\n                                                                                                 Page 16\n\x0c                         Desktop and Laptop Software License Management\n                                Is Not Being Adequately Performed\n\n\n\n\n           Term                                               Definition\nGovernment Accountability       The audit, evaluation, and investigative arm of Congress that provides\nOffice                          analyses, recommendations, and other assistance to help Congress make\n                                informed oversight, policy, and funding decisions.\nInformation Technology          Provides guidelines for the use and management of software and\nInfrastructure Library (ITIL)   licenses.\n                                The ITIL is a widely accepted set of concepts and practices for\n                                information technology service management derived from user and\n                                vendor experts in both the private and public sectors. The ITIL focuses\n                                on the key service management principles pertaining to service strategy,\n                                service design, service transition, service operation, and continual\n                                service improvement, with each principle being covered in a separate\n                                ITIL core publication. Software asset management is a key process\n                                described within the service transition core publication. The ITIL also\n                                has a separate publication entitled Best Practice Software Asset\n                                Management that covers software asset and license management best\n                                practices in more depth than the core publication. ITIL best practices\n                                recommend 1) the development of software license management\n                                policies and procedures and roles and responsibilities; 2) a centralized,\n                                enterprisewide management structure for software asset management;\n                                3) the use of software license management tools; and 4) the creation and\n                                maintenance of accurate enterprisewide inventories of software licenses.\nInformation Technology          Maturity levels refer to an IT organization\xe2\x80\x99s ability to perform. An\nInfrastructure Library          organization passes through five evolutionary levels as it becomes more\nMaturity Levels                 competent:\n                                Level 1: Initial \xe2\x80\x93 Focuses on technology and technology\n                                excellence/experts.\n                                Level 2: Repeatable \xe2\x80\x93 Focuses on products/services and operational\n                                processes (e.g., Service Support).\n                                Level 3: Defined \xe2\x80\x93 Focuses on the customer and proper service level\n                                management.\n                                Level 4: Managed \xe2\x80\x93 Focuses on business/information technology\n                                alignment.\n                                Level 5: Optimized \xe2\x80\x93 Focuses on value and the seamless integration of\n                                information technology into the business and strategy making.\nInformation Technology          The IRS organization responsible for delivering information technology\nOrganization                    services and solutions that drive effective tax administration to ensure\n                                public confidence.\n\n                                                                                                 Page 17\n\x0c                        Desktop and Laptop Software License Management\n                               Is Not Being Adequately Performed\n\n\n\n\n           Term                                               Definition\nNational Institute of           A part of the Department of Commerce that is responsible for\nStandards and Technology        developing standards and guidelines for providing adequate information\n                                security for all Federal Government agency operations and assets.\nNational Institute of           Requires that Federal agencies employ tracking systems, such as\nStandards and Technology        specialized fully automated applications depending on the needs of the\nSpecial Publication             organization, for software protected by quantity licenses to control\n800-53, Recommended             copying and distribution and to help ensure that software is used in\nSecurity Controls for Federal   accordance with licensing agreements.\nInformation Systems and\nOrganizations\nSoftware License Agreement      The legal contract between the owner and purchaser of a piece of\n                                software that establishes the purchaser\xe2\x80\x99s rights. A software license\n                                agreement provides details and limitations on where, how, how often,\n                                and when the software can be installed and used and provides\n                                restrictions that are imposed on the software. The agreement includes\n                                the licensing model that will be used for defining and measuring the use\n                                of the software. For example, a common simple license model could be\n                                based on how many people can use the software and how many systems\n                                the software may be installed on. Software companies also make special\n                                license agreements for large business and Government entities that may\n                                be different from those provided to the general consumer.\nTreasury Directive              Requires that bureaus periodically scan their networks to detect and\nPublication 85-01, Treasury     remove any unauthorized or unlicensed software.\nIT Security Program\nTreasury Directive 85-02,       Issued to implement Executive Order 13103 and requires that bureaus\nSoftware Piracy Policy          establish and maintain an accurate software inventory to help ensure that\n                                software is used in accordance with software license agreements.\nUser and Network Services       A part of the IRS IT organization established in April 2012 that\nOrganization                    combined the End User Equipment and Services organization and the\n                                Enterprise Networks organization. End User Equipment and Services\n                                provides information technology products and services to IRS end\n                                users. It is the single point of accountability for personal computing,\n                                help desk support, asset management, local area networks, and\n                                telephone communications support. The Enterprise Networks\n                                organization provides communications technologies for internal and\n                                external customers and manages the design and engineering of the IRS\xe2\x80\x99s\n                                telecommunications environment.\n\n\n\n\n                                                                                                 Page 18\n\x0c       Desktop and Laptop Software License Management\n              Is Not Being Adequately Performed\n\n\n\n                                                Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                        Page 19\n\x0cDesktop and Laptop Software License Management\n       Is Not Being Adequately Performed\n\n\n\n\n                                                 Page 20\n\x0cDesktop and Laptop Software License Management\n       Is Not Being Adequately Performed\n\n\n\n\n                                                 Page 21\n\x0cDesktop and Laptop Software License Management\n       Is Not Being Adequately Performed\n\n\n\n\n                                                 Page 22\n\x0c'